Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ionize 1.0.8 - Cross-Site Scripting (XSS) #393

Closed
bestshow opened this issue Feb 10, 2017 · 6 comments
Closed

ionize 1.0.8 - Cross-Site Scripting (XSS) #393

bestshow opened this issue Feb 10, 2017 · 6 comments

Comments

@bestshow
Copy link

bestshow commented Feb 10, 2017

Procuct: ionize
Vendor: ionize (http://www.ionizecms.com)
Vunlerable Version: 1.0.8 and probably prior
Tested Version: 1.0.8
Author: ADLab of Venustech

Advisory Details:
I have discovered a Cross-Site Scripting (XSS) in ionize, which can be exploited to add,modify or delete information in application`s database and gain complete control over the application.

The vulnerability exists due to insufficientfiltration of user-supplied data in “path” HTTP GET parameter passed to “ionize-master/ionize-master/themes/admin/javascript/tinymce/jscripts/tiny_mce/plugins/codemirror/dialog.php” url. An attacker could execute arbitrary HTML and script code in browser in context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox:
http://localhost/testcmsofgithub/ionize-master/ionize-master/themes/admin/javascript/tinymce/jscripts/tiny_mce/plugins/codemirror/dialog.php?path=%22%3E%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E%3Cscript%20%22

@partikule
Copy link
Member

Thanks for this vulnerability feedback.

I'm not convinced that this vulnerability gives "complete control over the app".
Insert / Modify / delete data in DB need to be logged in. If you're not logged in, called an ajax script with this exploit will not give you the ability to insert something in the DB.

If you have a real example of capability to add / modify data in the DB from this exploit, please give us an example.

@bestshow
Copy link
Author

Thanks for your reply.
The poc pop-up a messagebox means I can execute arbitrary code theoretically, so "add,modify or delete information in application`s database and gain complete control over the application." will succeed theoretically.At the very least I can execute arbitrary code.

Cheers!

@partikule
Copy link
Member

I'm sorry, don't take it bad because I really thank you for the information about the exploit.

But again, execute arbitrary JS code doesn't mean you're able to do what you listed in the DB, or, if you can do so without be logged in, please do it !

Opening your car's fuel tank little door doesn't mean I can enter your car, start it up and start driving with it.

@bestshow
Copy link
Author

Execuse me, please forgive me for being inaccurate words.This vulnerability could just lead to execute arbitrary JS code ,but can not attack DB without be logged in. Still thanks for your reply.

@attritionorg
Copy link

Wouldn't this be a vulnerability in Tiny MCE given the code path listed?

@cnotin
Copy link

cnotin commented Jun 21, 2018

For reference: assigned CVE-2017-5961 and targeting ionize

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants